zram: fix possible use after free in zcomp_create()

commit 3aaf14da807a4e9931a37f21e4251abb8a67021b upstream. zcomp_create() verifies the success of zcomp_strm_{multi,single}_create() through comp->stream, which can potentially be pointing to memory that was freed if these functions returned an error. While at it, replace a 'ERR_PTR(-ENOMEM)' by a more generic 'ERR_PTR(error)' as in the future zcomp_strm_{multi,siggle}_create() could return other error codes. Function documentation updated accordingly. Fixes: beca3ec71fe5 ("zram: add multi stream functionality") Signed-off-by: Luis Henriques <luis.henriques@canonical.com> Acked-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com> Acked-by: Minchan Kim <minchan@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

zram: fix possible use after free in zcomp_create()
commit 3aaf14da807a4e9931a37f21e4251abb8a67021b upstream. zcomp_create() verifies the success of zcomp_strm_{multi,single}_create() through comp->stream, which can potentially be pointing to memory that was freed if these functions returned an error. While at it, replace a 'ERR_PTR(-ENOMEM)' by a more generic 'ERR_PTR(error)' as in the future zcomp_strm_{multi,siggle}_create() could return other error codes. Function documentation updated accordingly. Fixes: beca3ec71fe5 ("zram: add multi stream functionality") Signed-off-by: Luis Henriques <luis.henriques@canonical.com> Acked-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com> Acked-by: Minchan Kim <minchan@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Luis Henriques · Greg Kroah-Hartman
1 parent d486236771
Showing 1 changed file with 7 additions and 5 deletions Side-by-side Diff
drivers/block/zram/zcomp.c
@@ -325,12 +325,14 @@
  * allocate new zcomp and initialize it. return compressing
  * backend pointer or ERR_PTR if things went bad. ERR_PTR(-EINVAL)
  * if requested algorithm is not supported, ERR_PTR(-ENOMEM) in
- * case of allocation error.
+ * case of allocation error, or any other error potentially
+ * returned by functions zcomp_strm_{multi,single}_create.
  */
 struct zcomp *zcomp_create(const char *compress, int max_strm)
 {
 	struct zcomp *comp;
 	struct zcomp_backend *backend;
+	int error;
  
 	backend = find_backend(compress);
 	if (!backend)
  
  
@@ -342,12 +344,12 @@
  
 	comp->backend = backend;
 	if (max_strm > 1)
-		zcomp_strm_multi_create(comp, max_strm);
+		error = zcomp_strm_multi_create(comp, max_strm);
 	else
-		zcomp_strm_single_create(comp);
-	if (!comp->stream) {
+		error = zcomp_strm_single_create(comp);
+	if (error) {
 		kfree(comp);
-		return ERR_PTR(-ENOMEM);
+		return ERR_PTR(error);
 	}
 	return comp;
 }
...	...	@@ -325,12 +325,14 @@
325	325	* allocate new zcomp and initialize it. return compressing
326	326	* backend pointer or ERR_PTR if things went bad. ERR_PTR(-EINVAL)
327	327	* if requested algorithm is not supported, ERR_PTR(-ENOMEM) in
328		- * case of allocation error.
	328	+ * case of allocation error, or any other error potentially
	329	+ * returned by functions zcomp_strm_{multi,single}_create.
329	330	*/
330	331	struct zcomp zcomp_create(const char compress, int max_strm)
331	332	{
332	333	struct zcomp *comp;
333	334	struct zcomp_backend *backend;
	335	+ int error;
334	336
335	337	backend = find_backend(compress);
336	338	if (!backend)
337	339
338	340
...	...	@@ -342,12 +344,12 @@
342	344
343	345	comp->backend = backend;
344	346	if (max_strm > 1)
345		- zcomp_strm_multi_create(comp, max_strm);
	347	+ error = zcomp_strm_multi_create(comp, max_strm);
346	348	else
347		- zcomp_strm_single_create(comp);
348		- if (!comp->stream) {
	349	+ error = zcomp_strm_single_create(comp);
	350	+ if (error) {
349	351	kfree(comp);
350		- return ERR_PTR(-ENOMEM);
	352	+ return ERR_PTR(error);
351	353	}
352	354	return comp;
353	355	}